Skip to main content
Role-Based Access Control (RBAC) lets you define fine-grained permissions for members based on their roles. An RBAC policy is composed of roles, resources, and actions, defining who can do what within your application.

Using RBAC

1

Get your RBAC policy

Fetch your current RBAC policy using the Get Policy endpoint:
curl --request GET \
  --url https://test.stytch.com/v1/b2b/rbac/policy \
  --user 'PROJECT_ID:SECRET'
Response:
{
  "status_code": 200,
  "policy": {
    "roles": [
      {
        "role_id": "stytch_admin",
        "description": "Full access to all organization resources",
        "permissions": [
          {
            "resource_id": "documents",
            "actions": ["read", "write", "delete"]
          }
        ]
      }
    ],
    "resources": [
      {
        "resource_id": "documents",
        "description": "Organization documents",
        "actions": ["read", "write", "delete"]
      }
    ]
  }
}
See Create RBAC Policy to set up your policy in the Dashboard.
2

Assign roles to members

Assign roles when creating or updating members:
curl --request PUT \
  --url https://test.stytch.com/v1/b2b/organizations/organization-test-.../members/member-test-... \
  --header 'Content-Type: application/json' \
  --user 'PROJECT_ID:SECRET' \
  --data '{
    "roles": ["stytch_admin", "editor"]
  }'
Members can have multiple roles, and their permissions are the union of all role permissions.
3

Check permissions

Enforce permissions by passing the member’s session token to API endpoints:
curl --request DELETE \
  --url https://test.stytch.com/v1/b2b/organizations/organization-test-.../members/member-test-... \
  --header 'X-Stytch-Member-Session: <session_token>' \
  --user 'PROJECT_ID:SECRET'
Stytch automatically verifies the member has the required permissions before processing the request. If unauthorized, the request returns a 403 error.For custom resources, use Authenticate Session with the authorization_check parameter:
curl --request POST \
  --url https://test.stytch.com/v1/b2b/sessions/authenticate \
  --header 'Content-Type: application/json' \
  --user 'PROJECT_ID:SECRET' \
  --data '{
    "session_token": "<session_token>",
    "authorization_check": {
      "organization_id": "organization-test-...",
      "resource_id": "documents",
      "action": "write"
    }
  }'

RBAC policy structure

An RBAC policy consists of three components:
  • Roles - Named collections of permissions (e.g., admin, editor, viewer)
  • Resources - Objects members can access (e.g., documents, settings, reports). Stytch provides default resources like stytch.organization and stytch.member.
  • Actions - Operations members can perform on resources (e.g., read, write, delete)

Learn more

Create RBAC policy

Set up roles and permissions in the Dashboard

Default roles and resources

View Stytch’s built-in RBAC configuration

Enforcing permissions

Backend and frontend authorization checks

Role object

Role object reference